Viewing Privacy as a Security Property
George Danezis
K.U. Leuven, ESAT/COSIC,Kasteelpark Arenberg 10,
B-3001 Leuven-Heverlee, [email protected]
July 26, 2006
George Danezis Viewing Privacy as a Security Property
Perspective and Scope
What is this talk about?I Explore the relations between notions of ‘privacy’ and
‘traditional security’.I Key thesis: Privacy is better understood as security!
How do we proceed?I In two parts: 1) Intro to Privacy 2) Some privacy properties.I High-level: keep out the very technical details that cloud the
overall picture – unless provoked.(Implementation issues, system specific, cryptography,statistics, standards – lots of details.)
I Focus on technology and technology policy in relation toprivacy.(There is also law, sociology, political science, and politics.)
I Look at privacy in the context of computer security – toolslike security properties, adversary models, security policies, . . .
I A clear focus on the real world and its constraints.George Danezis Viewing Privacy as a Security Property
Perspective and Scope
What is this talk about?I Explore the relations between notions of ‘privacy’ and
‘traditional security’.I Key thesis: Privacy is better understood as security!
How do we proceed?I In two parts: 1) Intro to Privacy 2) Some privacy properties.I High-level: keep out the very technical details that cloud the
overall picture – unless provoked.(Implementation issues, system specific, cryptography,statistics, standards – lots of details.)
I Focus on technology and technology policy in relation toprivacy.(There is also law, sociology, political science, and politics.)
I Look at privacy in the context of computer security – toolslike security properties, adversary models, security policies, . . .
I A clear focus on the real world and its constraints.George Danezis Viewing Privacy as a Security Property
Security or Privacy: a caricature of the debate
The terms in which the debate is often framed today.Privacy (vague definition) important but. . .
I . . . what about abuse and accountability?
I . . . difficulties for Law Enforcement?
I . . . copyright or libel?
I (. . . what does a good, honest person has to hide anyway?)
Established wisdom:
I Need for a balance. . .
I Control/limit dangerous technology (or research).
I Result: Surveillance by design → no privacy (often).
Only possible conclusion: Security is most important!
George Danezis Viewing Privacy as a Security Property
Security and Privacy in Context
A brief history of security (Needham), and where does privacy fit?
I Early days (Pre-1970s): Security for the Government andMilitary. Focus on confidentiality properties. Some work onTamper resistance, signal intelligence, . . . Keep secrets usingcomputer security (and also an army, the full legal system,advanced research, the police, . . . )
I 70s to 90s: Commercial security and security for enterprises.Focus on integrity and authenticity, bank transactions,contracts, audits, signatures. Using computer security (and anarmy of managers, accountants, technicians, lawyers . . . )
I 90s to today: Security for households, citizens, civil society.Most computers get networked, and everyone start havingtheir security worries. BUT Limited budget, and no army ofany type. . . The era of Privacy Concerns.
George Danezis Viewing Privacy as a Security Property
Security and Privacy in Context
A brief history of security (Needham), and where does privacy fit?
I Early days (Pre-1970s): Security for the Government andMilitary. Focus on confidentiality properties. Some work onTamper resistance, signal intelligence, . . . Keep secrets usingcomputer security (and also an army, the full legal system,advanced research, the police, . . . )
I 70s to 90s: Commercial security and security for enterprises.Focus on integrity and authenticity, bank transactions,contracts, audits, signatures. Using computer security (and anarmy of managers, accountants, technicians, lawyers . . . )
I 90s to today: Security for households, citizens, civil society.Most computers get networked, and everyone start havingtheir security worries. BUT Limited budget, and no army ofany type. . . The era of Privacy Concerns.
George Danezis Viewing Privacy as a Security Property
Security and Privacy in Context
A brief history of security (Needham), and where does privacy fit?
I Early days (Pre-1970s): Security for the Government andMilitary. Focus on confidentiality properties. Some work onTamper resistance, signal intelligence, . . . Keep secrets usingcomputer security (and also an army, the full legal system,advanced research, the police, . . . )
I 70s to 90s: Commercial security and security for enterprises.Focus on integrity and authenticity, bank transactions,contracts, audits, signatures. Using computer security (and anarmy of managers, accountants, technicians, lawyers . . . )
I 90s to today: Security for households, citizens, civil society.Most computers get networked, and everyone start havingtheir security worries. BUT Limited budget, and no army ofany type. . . The era of Privacy Concerns.
George Danezis Viewing Privacy as a Security Property
Privacy is Security (I)
But lets go further – beyond just ‘balance’:I Privacy properties and technologies are there to satisfy valid
security needs.I Definition of privacy I prefer: Informational self-determination
– Giving out less information, gaining more control over one’sinformational environment.
I Examples: freedom from surveillance and profiling, flexibilityto access and use content and services, freedom fromcompulsion, . . .
I Small(ish) entities: no serious means to gain assurance (noexpertise, no budget.)
Question: who are the small entities?I Households and individual citizens.I NGOs, Societies, . . .I Small companies with no tech department?I Small(ish) governments? (Greek illegal wiretapping. . . )
George Danezis Viewing Privacy as a Security Property
Privacy is Security (I)
But lets go further – beyond just ‘balance’:I Privacy properties and technologies are there to satisfy valid
security needs.I Definition of privacy I prefer: Informational self-determination
– Giving out less information, gaining more control over one’sinformational environment.
I Examples: freedom from surveillance and profiling, flexibilityto access and use content and services, freedom fromcompulsion, . . .
I Small(ish) entities: no serious means to gain assurance (noexpertise, no budget.)
Question: who are the small entities?I Households and individual citizens.I NGOs, Societies, . . .I Small companies with no tech department?I Small(ish) governments? (Greek illegal wiretapping. . . )
George Danezis Viewing Privacy as a Security Property
Privacy is Security (II)
Like all security, privacy must be technologically supported:
I Privacy/security needs cannot just be satisfied with goodintentions.
I Laws are necessary but not sufficient to protectprivacy/security.Think of a bridge, or top secret documents. . .
I Technology must provide assurances where possible –procedures and audits where it is not.
I Hence the development of Privacy Enhancing Technologies.
One more twist: we all use the same infrastructure!
I Despite varying capabilities infrastructure is shared!
I Telecommunications, operating systems, search engines,on-line shops, software, . . .
I Denying security to some, means denying it to all! (ex:crypto, DRM)
George Danezis Viewing Privacy as a Security Property
Privacy is Security (II)
Like all security, privacy must be technologically supported:
I Privacy/security needs cannot just be satisfied with goodintentions.
I Laws are necessary but not sufficient to protectprivacy/security.Think of a bridge, or top secret documents. . .
I Technology must provide assurances where possible –procedures and audits where it is not.
I Hence the development of Privacy Enhancing Technologies.
One more twist: we all use the same infrastructure!
I Despite varying capabilities infrastructure is shared!
I Telecommunications, operating systems, search engines,on-line shops, software, . . .
I Denying security to some, means denying it to all! (ex:crypto, DRM)
George Danezis Viewing Privacy as a Security Property
Where next?
Present some interesting privacy/security properties:
I A critical look at the standard security properties, and howthey can be fortified for privacy.
I Some new concept that are antithetical to current securitypractises. (non-repudiation vs. Plausible deniability.)
I Why are these useful?
George Danezis Viewing Privacy as a Security Property
At the beginning there was Authentication
Early work on security focused on authentication (Needham) – thefist step before any security policy can be applied.
I Makes sense in a government, commercial or military context.
I But does it make sense when you do not have a closed usergroup?
I From Authentication to Identity Management (KimCameron’s work).
Privacy preserving Authentication mechanisms:
I Private Authentication: to protect against 3rd parties.
I Anonymous Credentials: to protect against all.
George Danezis Viewing Privacy as a Security Property
Private Authentication
How does authentication traditionally works:
I (Alice) → (Bob): Hi all! I am Alice, and I think you are Bob,and here is some crypto stuff.
I (Bob) → (Alice): Hi Alice, Bob here! . . .
Great for flirting on WiFi, not great for privacy.
I Solution: hide from third parties Alice’s identity (PrivateAuthentication.)
I Hiding both Alice and Bob is a bit more tricky (Need publickeys, really.)
I Failed authentication should not give out any informationabout either.
I When both have multiple identities even more tricky.
It is great to see that such an old field has so much life left in it.
George Danezis Viewing Privacy as a Security Property
Anonymous Credentials
The cinema scenario: you can come in if you have bought a ticket!
I Aim: gain privileges by proving that you have some attributes,according to some authority, without revealing any identity.
I Players: Authority (the box office), Prover (the spectator),Verifier (the ticket checker).
I Distinct from capabilities (Needham): no ID string.
The state of the art:
I Any string or number as an attribute.
I can prove arbitrary boolean statements on attributes
I can prove range statements.
I With double spending controls you have digital cash.
Downside: Heavy crypto and patents. Multishow (IBM), Singleshow (Credentica).
George Danezis Viewing Privacy as a Security Property
A fresh look at “The Secure Channel”
Commonly deployed security mechanism.
I A success story – what we can do well!
I Widely deployed for messages and streams.
I Examples: PGP, SMIME, SSL, SSH, IPSec, . . .
A closer look at the properties:
I Authenticity – we talked about this before.
I Confidentiality – no third party should be able to read it.
I Integrity – no third party should be able to modify it.
I (Non-repudiation) – you should not be able to deny what yousaid.
Does all this sounds right?
George Danezis Viewing Privacy as a Security Property
Security is wispering into each other’s ear
The secure channel model was good for the military/commercialworld:
I Key management can be done safely (remember the armies.)
I Want to archive carefully.
I B2B transactions may need to turn up in court.
What about instant messaging? Keep things Off-The-Record.
I or briefing a journalist, talking on the phone to your lawyer. . .
I Plausible Deniability (not non-repudiation): No bit-string canbe used in court to prove that some action was performed orthat you said something (Michael Roe!).
I Forward secrecy: once the communication is securely over, Icannot decrypt it any more. (It is gone, and no amount ofpressure will do!)
I Still want Authenticity, Confidentiality and Integrity.
George Danezis Viewing Privacy as a Security Property
Security is wispering into each other’s ear
The secure channel model was good for the military/commercialworld:
I Key management can be done safely (remember the armies.)
I Want to archive carefully.
I B2B transactions may need to turn up in court.
What about instant messaging? Keep things Off-The-Record.
I or briefing a journalist, talking on the phone to your lawyer. . .
I Plausible Deniability (not non-repudiation): No bit-string canbe used in court to prove that some action was performed orthat you said something (Michael Roe!).
I Forward secrecy: once the communication is securely over, Icannot decrypt it any more. (It is gone, and no amount ofpressure will do!)
I Still want Authenticity, Confidentiality and Integrity.
George Danezis Viewing Privacy as a Security Property
Pushing the boundaries of the secure channel: Anonymity
Key questions and properties:
I Should anyone know with whom I am talking? (3rd partyanonymity.)
I Should the website I am visitng know who I am? Andcorrelate my visits? (Sender/Initiator anonymity.)
I Should those who want to contact me know who I am/where Iam? (Receiver/Server anonymity.)
More generally: freedom from traffic analysis?
I TA can be used to extract information – particularly fromstreams of data (SSL RFC has a warning.)
I TA can be used for target selection: which laptop to steal?Which house to break in? Which server to attack?
I Location privacy is becoming a problem. Anonymizationtechniques are useful there too.
Deployed systems: Java Anon Proxy, Tor, Mixminion, Anonymizer.George Danezis Viewing Privacy as a Security Property
Pushing the boundaries of the secure channel: Anonymity
Key questions and properties:
I Should anyone know with whom I am talking? (3rd partyanonymity.)
I Should the website I am visitng know who I am? Andcorrelate my visits? (Sender/Initiator anonymity.)
I Should those who want to contact me know who I am/where Iam? (Receiver/Server anonymity.)
More generally: freedom from traffic analysis?
I TA can be used to extract information – particularly fromstreams of data (SSL RFC has a warning.)
I TA can be used for target selection: which laptop to steal?Which house to break in? Which server to attack?
I Location privacy is becoming a problem. Anonymizationtechniques are useful there too.
Deployed systems: Java Anon Proxy, Tor, Mixminion, Anonymizer.George Danezis Viewing Privacy as a Security Property
Compulsion Resistance – (please don’t hurt me!)
Already hinted at forward secrecy / security:
I After some time/steps no one should be able to compromisethe security properties.
I Anyone who may come under physical pressure / blackmailwould value that.
I An issue for those without armies, security fences and guards.
Other forms of compulsion resistance:
I Steganographic file systems: Under compulsion you can revealsome files, but hide others. (First step: encrypted, fail-safe)
I Safebox folders: you can put data in, but not decrypt it untilyou are back home. (Photographers / journalists in war zoneswould love that. No need for public key crypto.)
I Election schemes: you cannot prove how you vote – ‘receiptfreeness’.
George Danezis Viewing Privacy as a Security Property
Compulsion Resistance – (please don’t hurt me!)
Already hinted at forward secrecy / security:
I After some time/steps no one should be able to compromisethe security properties.
I Anyone who may come under physical pressure / blackmailwould value that.
I An issue for those without armies, security fences and guards.
Other forms of compulsion resistance:
I Steganographic file systems: Under compulsion you can revealsome files, but hide others. (First step: encrypted, fail-safe)
I Safebox folders: you can put data in, but not decrypt it untilyou are back home. (Photographers / journalists in war zoneswould love that. No need for public key crypto.)
I Election schemes: you cannot prove how you vote – ‘receiptfreeness’.
George Danezis Viewing Privacy as a Security Property
The Hard Part: Data Sharing
To buy things and get services you need to share data:
I Payments, delivery addresses, system configuration, . . .
I Often with more powerful entities, and little choice.
I Once your data is out there, how to protect it? How tocontrol its use?
Data protection regimes:
I EU/Canada/Australia: Data Protection Legislation imposesstandards.
I Little enforcement: violations are well funded andtechnologically supported, enforcement is underfunded andnon-technological.
I Technologies to support data protection: automatic audits,chinese firewall policies, design of privacy friendlyarchitectures, standard protocols.Integration of privacy in the overall s/w process (JC Cannon.)
George Danezis Viewing Privacy as a Security Property
The Hard Part: Data Sharing
To buy things and get services you need to share data:
I Payments, delivery addresses, system configuration, . . .
I Often with more powerful entities, and little choice.
I Once your data is out there, how to protect it? How tocontrol its use?
Data protection regimes:
I EU/Canada/Australia: Data Protection Legislation imposesstandards.
I Little enforcement: violations are well funded andtechnologically supported, enforcement is underfunded andnon-technological.
I Technologies to support data protection: automatic audits,chinese firewall policies, design of privacy friendlyarchitectures, standard protocols.Integration of privacy in the overall s/w process (JC Cannon.)
George Danezis Viewing Privacy as a Security Property
The new availability: censorship resistance
Presenting privacy as security for the small entities explains itslinks with Peer-to-Peer computing.
I In pure p2p all nodes can perform all functions – massiveresilience: perfect for the weak.
I No a-priory centralisation – Only loose coordination.
I Obvious first application: communicate and share information.(The surprise says a lot about system and security design.)
I Popularity due to hostile environment (security/resilience.)
Reputable and marketable applications:
I Efficient and resilient distributed systems (Rowstron – Pastry.)
I Robust and cheap delivery: Bit-Torrent.
I Bridging NATs: Skype – firewall piercing modes of Tor.
I Bypassing port 22 (SSH) restrictions.
I The future: Social Networking / Expert finding. . .
George Danezis Viewing Privacy as a Security Property
The new availability: censorship resistance
Presenting privacy as security for the small entities explains itslinks with Peer-to-Peer computing.
I In pure p2p all nodes can perform all functions – massiveresilience: perfect for the weak.
I No a-priory centralisation – Only loose coordination.
I Obvious first application: communicate and share information.(The surprise says a lot about system and security design.)
I Popularity due to hostile environment (security/resilience.)
Reputable and marketable applications:
I Efficient and resilient distributed systems (Rowstron – Pastry.)
I Robust and cheap delivery: Bit-Torrent.
I Bridging NATs: Skype – firewall piercing modes of Tor.
I Bypassing port 22 (SSH) restrictions.
I The future: Social Networking / Expert finding. . .
George Danezis Viewing Privacy as a Security Property
Abuse Resistance is a PET enabler
Privacy friendly security policies must integrate countermeasures toabuse. Examples:
I Credentials: double spending for coins, private black listing forabusers.
I Bulletin Boards: Social network based reputation, ranking ofarticles, moderation.
I Peer-to-peer: Sybil attack (John Douceur) resistance.
I Open research area – dependant on application.
The dangers of ‘escrow’ or ‘revocable privacy’:
I Why would you trust the revocation authority?
I Often too abstract.
I Include the revocation process into the security model, andjudge its robustness to abuse. Impose technical checks andbalances. Demand efficient and automated audits.
I Otherwise ‘just say no’ – too tempting to abuse.
George Danezis Viewing Privacy as a Security Property
Abuse Resistance is a PET enabler
Privacy friendly security policies must integrate countermeasures toabuse. Examples:
I Credentials: double spending for coins, private black listing forabusers.
I Bulletin Boards: Social network based reputation, ranking ofarticles, moderation.
I Peer-to-peer: Sybil attack (John Douceur) resistance.
I Open research area – dependant on application.
The dangers of ‘escrow’ or ‘revocable privacy’:
I Why would you trust the revocation authority?
I Often too abstract.
I Include the revocation process into the security model, andjudge its robustness to abuse. Impose technical checks andbalances. Demand efficient and automated audits.
I Otherwise ‘just say no’ – too tempting to abuse.
George Danezis Viewing Privacy as a Security Property
Some Conclusions. . .
A fresh view of privacy:I It is time for privacy properties to become first class security
properties, and a new set of directions.I Privacy as information self-determination: control over your
information environment – the most valued security property.I Use tools from security engineering to achieve this (not
marketing! But maybe economics, usability. . . )
Challenges and opportunities:I Properties would also benefit enterprises, governments and
overall strengthen infrastructure.I In high assurance circles: traffic analysis resistance, location
anonymity, compulsion resistance, . . . already requirements.I Data Sharing assurances must be integrated in the process
(but so is all security!) Novel technical support badly needed.I Abuse control: Necessary to find solutions outside the
(escrow) box.
George Danezis Viewing Privacy as a Security Property
. . . and pointers.
I Any questions?
I Contact me: George [email protected]
I Come to the Privacy Enhancing Technologies Workshop,Ottawa, May-June 2007.
George Danezis Viewing Privacy as a Security Property
Top Related